Regin: The super-spyware the security industry has been silent about

NSA fingered as likely source of complex malware family

A public autopsy of sophisticated intelligence-gathering spyware Regin is causing waves today in the computer security world.

But here's a question no one's answering: given this super-malware first popped up in 2008, why has everyone in the antivirus industry kept quiet about it until now? Has it really taken them years to reverse engineer it?

The software targets Windows PCs, and a zero-day vulnerability said to be in Yahoo! Messenger, before burrowing into the kernel layer. It hides itself in own private area on hard disks, has its own virtual filesystem, and encrypts and morphs itself multiple times to evade detection. It uses a toolkit of payloads to eavesdrop on the administration of mobile phone masts, intercept network traffic, pore over emails, and so on.

It appears to target people working in telecommunications, including internet backbone providers and cellular networks, plus the energy sector – where Yahoo! Messenger is apparently popular. All in all, it seems to be the handiwork of an intelligence agency rather than a run-of-the-mill malware writer, infosec bods have concluded.

For one thing, it doesn't operate like conventional spyware: Regin doesn't form a remotely controlled botnet – suggesting its masters really didn't want it to be found – nor does it harvest personal financial information.

Instead it collects intelligence useful to state spies. Coupled with the fact that virtually no infections have been reported in the US, UK or other Five Eyes nations, some to suspect it's the work of the NSA, GCHQ or their contractors.

Kaspersky's report on Regin today shows it has the ability to infiltrate GSM phone networks. The malware can receive commands over a cell network, which is unusual.

The Regin malware popped up on antivirus radars years ago. Symantec says it has been investigating Regin for over a year, although reckons earlier builds have been circulating since 2008. Microsoft first reported it back in 2011, and Kaspersky Lab thinks that it could have been around for as long as ten years.

So why the silence? Security software vendors usually love deluging the press with reports of malware, so you'd think that when Regin was first caught and analyzed, people would have made a song and dance about it.

F-Secure, one of the leading outfits investigating government malware, spotted Regin on a customer's computer two years ago. Chief research officer Mikko Hypponen said on Monday his company had kept silent on the malware because its client had asked it to, although he said F-Secure had added detection for the spyware to its antivirus software. Hypponen is sure Regin is state-sponsored malware.

Only a few hundred infections have been linked to Regin, but the choice of targets is striking. The malware apparently infiltrated the computers of noted Belgian cryptographer Professor Jean-Jacques Quisquater and Belgian telco Belgacom – a network compromise blamed on the NSA and GCHQ by Edward Snowden.

This low infection count could have been what has allowed Regin to fly under the radar for quite so long. With hundreds of thousands of malware samples found every year, a small outbreak doesn't get much attention, which is just what a state-sponsored attacker would be looking for.

Much more attention is now being focused on Regin in the coming days. While it's impossible to say where exactly the malware came from, it looks likely that your tax dollars or pounds could be at work. ®